20180521

An SID, short for security identifier, is a number used to identify user, group, and computer accounts in Windows. SIDs are created when the account is first created in Windows and no two SIDs on a computer are ever the same. The term security ID is sometimes used in place of SID or security identifier.

The system uses an access token to identify the user when a thread interacts with a securable object or tries to perform a system task that requires privileges. Access tokens contain the following information: The security identifier (SID) for the user's account. SIDs for the groups of which the user is a member.

The token contains a list of all of the SIDs associated with the user account, including the account’s SID, and the SIDs of all groups and special identities of which the user account is a member (for example, Domain Admins or INTERACTIVE). You can use a tool like whoami command to discover what SIDs are associated with a logon session, as shown next:

This example shows that the current process is run in the context of user freebooter, who is a member of Administrators and Authenticated Users and also belongs to the special identities Everyone, LOCAL, and INTERACTIVE. When freebooter attempts to access a resource, such as a file, the Windows security subsystem compares his token to the DACL on the object, which specifies SIDs that are permitted to access the object and includes the ways it may be accessed (such as read, write, execute, and so on). If one of the SIDs in freebooter’s token matches a SID in the DACL, then freebooter is granted access as specified in the DACL.

Information

DACLs and ACEs. If a Windows object does not have a discretionary access control list (DACL), the system allows everyone full access to it. If an object has a DACL, the system allows only the access that is explicitly allowed by the access control entries (ACEs) in the DACL.

Did you find this tutorial helpful? Don’t forget to share your views with us.